Web App Security for Java Developers - PWX 2021

Matt Raible | @mraible
December 7, 2021
Web App
Security for

Java Developers
Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas

View Slide

@mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter

Bus Lover

Web Developer and Java Champion

Okta Developer Advocate

Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible

View Slide

View Slide

developer.okta.com

View Slide

@mraible
Today’s Agenda
What is web app security?

7 simple ways to better app security

3 quick demos

🍃 Spring Boot

🅰 Angular

🤓 JHipster

View Slide

What is web app security?

View Slide

1. Use HTTPS

2. Scan your dependencies

3. Use the latest releases

4. Secure your secrets
7 Simple Ways to Better Web App Security
5. Use a Content Security Policy

6. Use OAuth 2.0 and OIDC

7. Prevent Cross-site request
forgery (CSRF)

View Slide

@mraible
1. Use HTTPS Everywhere!
Let’s Encrypt offers free HTTPS certificates

certbot can be used to generate certificates

mkcert can be used to create localhost certificates

Spring Boot Starter ACME for automating certificates

View Slide

What is HTTPS?
https://howhttps.works

View Slide

How HTTPS Works
https://howhttps.works

View Slide

HTTPS for Static Sites too!
https://www.troyhunt.com/heres-why-your-static-website-needs-https

View Slide

HTTPS is Easy!

View Slide

Force HTTPS in Spring Boot
@Configuration

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override

protected void configure(HttpSecurity http) throws Exception {

http.requiresChannel().anyRequest().requiresSecure();

}

}

View Slide

Force HTTPS in the Cloud
@Configuration


@Override


http.requiresChannel()

.requestMatchers(r
->
r.getHeader("X-Forwarded-Proto")
!=
null)

.requiresSecure();

}

}

View Slide

Force HTTPS in Spring WebFlux
@EnableWebFluxSecurity

public class SecurityConfiguration {

@Bean

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.redirectToHttps(withDefaults());

return http.build();

}

}

View Slide

Force HTTPS in Spring WebFlux + Cloud
@EnableWebFluxSecurity

public class SecurityConfiguration {

@Bean

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.redirectToHttps(redirect
->
redirect

.httpsRedirectWhen(e
->

e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))

);

return http.build();

}

}

View Slide

@mraible
“Why do we need HTTPS

inside our network?”

View Slide

@mraible
2. Scan Your Dependencies

View Slide

@mraible
GitHub + Dependabot

View Slide

@mraible
Full-featured Dependency Scanners

View Slide

3. Use the Latest Releases

View Slide

How well do you know your dependencies?
Dependency
Health
Indirect
Dependencies
Regular
Releases
Regular
commits
Dependencies

View Slide

Check for Updates with npm
npm i -g npm-check-updates

ncu

View Slide

Check for Updates with Maven
mvn versions:display-dependency-updates

https://www.mojohaus.org/versions-maven-plugin

View Slide

Check for Updates with Gradle
plugins {

id("se.patrikerdes.use-latest-versions") version "0.2.17"

id("com.github.ben-manes.versions") version "0.39.0"

...

}
$ ./gradlew useLatestVersions
https://github.com/patrikerdes/gradle-use-latest-versions-plugin

View Slide

@mraible
4. Secure Your Secrets

View Slide

HashiCorp Vault and Azure Key Vault

View Slide

https://developer.okta.com/blog/2020/05/04/spring-vault
Secure Secrets With Spring Cloud Config and Vault

View Slide


View Slide

Default Spring Security Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

View Slide

Add a Content Security Policy with Spring Security
@EnableWebSecurity


@Override


http.headers()

.contentSecurityPolicy("script-src 'self' " +

"https:
//
trustedscripts.example.com; " +

"object-src https:
//
trustedplugins.example.com; " +

"report-uri /csp-report-endpoint/");

}

}

View Slide

Test Your Security Headers
https://securityheaders.com

View Slide

@mraible
6. Use OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for
authentication

 
OAuth 2.0 is for authorization

View Slide

@mraible
Authorization Code Flow Example
https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

View Slide

@mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

View Slide

@mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow

Redirect URIs must be compared using exact string matching

The Implicit grant is omitted from this specification

The Resource Owner Password Credentials grant is omitted from this specification

Bearer token usage omits the use of bearer tokens in the query string of URIs

Refresh tokens for public clients must either be sender-constrained or one-time use

View Slide

7. Prevent CSRF Attacks

View Slide

Configure CSRF Protection with Spring Security
@EnableWebSecurity


@Override


http

.csrf()

.csrfTokenRepository(

CookieCsrfTokenRepository.withHttpOnlyFalse());

}

}

View Slide

SameSite Cookies

View Slide

@mraible
Demos!
🍃 🅰 🤓

View Slide

1. Use HTTPS

2. Scan your dependencies

3. Use the latest releases

4. Secure your secrets
Recap: 7 Simple Ways to Better Web App Security

6. Use OAuth 2.0 and OIDC

7. Prevent Cross-site request
forgery (CSRF)

View Slide

developer.okta.com/blog

@oktadev

View Slide

Curious About Microservice Security?
https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

View Slide

Or Auth Security Patterns?
https://bit.ly/mraible-springone-2021

https://youtu.be/CebTJ7Nq1Hs

View Slide

Thanks!

Keep in Touch

raibledesigns.com

@mraible

Presentations

speakerdeck.com/mraible

Code

github.com/oktadev
developer.okta.com

View Slide

developer.okta.com

View Slide

Web App Security for Java Developers - PWX 2021

Web App Security for Java Developers - PWX 2021

Matt Raible
PRO

More Decks by Matt Raible

Other Decks in Programming

Featured

Transcript

Web App Security for Java Developers - PWX 2021

Web App Security for Java Developers - PWX 2021

Matt Raible PRO

More Decks by Matt Raible

Other Decks in Programming

Featured

Transcript

Matt Raible
PRO